Methods and Devices for OTA Subscription Management

ABSTRACT

A method of providing a secure element of a mobile terminal with a subscription profile in which the mobile terminal is configured to communicate with a cellular communications network and the subscription profile comprises a network specific portion related to the cellular communications network or a different cellular communications network as well as a hardware specific portion related to the hardware of the mobile terminal and/or the secure element. The method comprises the steps of: assembling the subscription profile, wherein the network specific portion of the subscription profile is provided by a first server and the hardware specific portion of the subscription profile is provided by a second server; and providing the subscription profile over-the-air to the secure element. A corresponding secure element, mobile terminal and subscription management backend system involves features of the method.

FIELD OF THE INVENTION

The invention relates to mobile communications in general and inparticular to methods and devices for over-the-air (OTA) subscriptionmanagement of mobile terminals comprising a secure element, such as asubscriber identity module (SIM), an eUICC/UICC or the like.

BACKGROUND OF THE INVENTION

Communicating by means of a mobile terminal, such as a mobile phone, viaa public land mobile network (PLMN; also referred to as a mobile orcellular communications network herein) operated by a mobile networkoperator (MNO) generally requires the mobile terminal to be equippedwith a secure element for securely storing data uniquely identifying theuser of the mobile terminal (also called subscriber). For instance, inthe context of a mobile terminal configured to communicate according tothe Global System for Mobile Communications (GSM), currently the world'smost popular standard for mobile communications systems, the secureelement is called a subscriber identity module (SIM) and is usuallyprovided in the form of a smart card. According to the GSM standard, thetechnical features of which are defined by a large number ofinterrelated and mutually dependent specifications published by the ETSIstandardization organization, the SIM contains subscription credentialsfor authenticating and identifying the user of the mobile terminal,including in particular an International Mobile Subscriber Identity(IMSI) and an authentication key K_(i). These subscription credentialsare generally stored on the SIM by the SIM manufacturer/vendor or theMNO during a SIM personalization process prior to providing the user ofthe mobile terminal with his SIM. A non-personalized SIM is generallynot suited for use in a mobile terminal, i.e. the use of the servicesprovided by a PLMN with a non-personalized SIM without the necessarysubscription credentials is not possible.

One particular field of application of secure elements, such as SIMs,eUICCs, UICCs and the like, which is expected to grow rapidly in thenear future is M2M (machine-to-machine) communication, i.e. thecommunication between machines over a cellular communications networkwithout human intervention, also called the Internet of things. In M2Mcommunication data is automatically transmitted between many differenttypes of machines equipped with a secure element in the form of a M2Mmodule, such as TV systems, set top boxes, vending machines, vehicles,traffic lights, surveillance cameras, sensor devices, and the like. Itis foreseeable that at least for some of these devices it will not bepossible or at least very difficult to provide the secure elementbeforehand with the necessary subscription credentials, including forinstance an IMSI. This is because in a lot of M2M devices the secureelement will most likely be implemented in the form of a surface mountedchip or chip module without the possibility of providing the secureelement with the necessary subscription credentials beforehand.Consequently, once in the field, these M2M devices and theirnon-personalized secure elements require the provision of subscriptioncredentials over-the-air.

When using the services provided by a MNO, in particular communicatingvia the PLMN provided by the MNO, the user of a mobile terminal isusually charged a certain monthly fee by the MNO. If the mobile userwants, for instance due to a lower monthly charge and/or superiorservices, to change to a different MNO, he generally has to manuallyreplace the SIM provided by the current MNO and containing, inparticular, the subscription credentials necessary for attaching to thePLMN of the current MNO by the SIM provided by the new MNO andcontaining the subscription credentials necessary for attaching to thePLMN of the new MNO. Certainly, it would be easier for the user, ifinstead of this conventional process of switching to a new MNO bymanually replacing the SIM it would be possible to use one and the samesecure element in the form of a SIM that can be “reprogrammed”over-the-air. However, as different MNOs often use differentauthentication algorithms for the SIM attachment process it is generallynot sufficient to simply download new subscription credentials to theSIM. Rather, the SIM has to be provided over-the-air with a new completesubscription profile, including subscription credentials, applicationsand/or at least parts of a SIM operating system. Methods providing forthis possibility are not known from the prior art or at best rathercumbersome.

In light of the above, the problem addressed by the present invention isto provide for methods and devices that allow providing the secureelement of a mobile terminal over-the-air with a subscription profile.

SUMMARY OF THE INVENTION

The above object is achieved according to the present invention by thesubject-matter of the independent claims. Preferred embodiments of theinvention are defined in the dependent claims.

According to a first aspect the invention relates to a method ofproviding a secure element of a mobile terminal with a subscriptionprofile. The mobile terminal is configured to communicate with acellular communications network and the subscription profile comprises anetwork specific portion related to the cellular communications networkor a different cellular communications network as well as a hardwarespecific portion related to the hardware of the mobile terminal and/orthe secure element. The method comprises the steps of: assembling thesubscription profile, wherein the network specific portion of thesubscription profile is provided by a first server and the hardwarespecific portion of the subscription profile is provided by a secondserver; and providing the subscription profile over-the-air to thesecure element.

As used herein, a “subscription profile” (or short “subscription”) cancomprise at least parts of a secure element operating system, one ormore applications, files and/or data, such as subscription credentials.A “subscription profile” according to the present invention comprises,in particular, a hardware specific portion, i.e. components of thesubscription profile that are related to the hardware of the mobileterminal and/or the secure element, and a network specific portion, i.e.components of the subscription profile that are related to the detailsof the cellular communications network (or a different cellularcommunications network associated with the subscription profile).

As used herein, the expression “providing a secure element of a mobileterminal with a subscription profile” comprises the complete exchange ofan old subscription profile with a new subscription profile, theaddition of a new subscription profile besides an already existingsubscription profile as well as a partial exchange of an existingsubscription profile which may be an update of the existing subscriptionprofile.

Preferably, the method comprises prior to the step of assembling thesubscription profile the additional step of identifying the secureelement by means of an identification element ID_(se) for determining aconfiguration key K_(conf) and a secure element key K_(se) associatedwith the secure element.

According to preferred embodiments of the invention, the step ofidentifying the secure element comprises the steps of: transmitting theidentification element ID_(se) from the secure element to the firstserver; forwarding the identification element ID_(se) of the secureelement to the second server; and transmitting the configuration keyK_(conf) determined on the basis of the identification element ID_(se)from the second server to the first server.

Preferably, the identification element ID_(se) is transmitted from thesecure element to the first server by means of a message including theidentification element ID_(se) in the clear and an encrypted version ofthe identification element ID_(se) encrypted by using a configurationkey K_(conf) stored on the secure element.

According to preferred embodiments of the invention, the messagetransmitted from the secure element to the first server furthercomprises an encrypted version of a session key K_(ses) created by thesecure element and an encrypted version of a hardware configurationHW_(conf) of the secure element and/or the mobile terminal bothencrypted using the configuration key K_(conf).

Preferably, the first server decrypts the encrypted version of theidentification element ID_(se), the encrypted version of the session keyK_(ses) and the encrypted version of the hardware configurationHW_(conf) of the secure element and/or the mobile terminal using theconfiguration key K_(conf) provided by the second server so that thefirst server can verify the validity of the configuration key K_(conf)provided by the second server by verifying that the identificationelement ID_(se) sent in the clear is identical to the identificationelement ID_(se) resulting from the decryption of the encrypted versionof the identification element ID_(se) using the configuration keyK_(conf).

Preferably, the hardware configuration HW_(conf) of the secure elementand/or the mobile terminal is determined on the fly by a subscriptionmanagement application being executed on the secure element and/or themobile terminal or retrieved from a memory unit of the secure elementand/or a memory unit of the mobile terminal.

According to preferred embodiments of the invention, the second servertransmits the configuration key K_(conf) determined on the basis of theidentification element ID_(se) to the first server only after the firstserver has successfully authenticated itself vis-à-vis the second serveror a mutual authentication between the first server and the secondserver.

Preferably, the step of assembling the subscription profile comprisesthe steps of encrypting the hardware specific portion of thesubscription profile by the second server using the secure element keyK_(se) and encrypting the network specific portion of the subscriptionprofile by the first server using the configuration key K_(conf).

According to preferred embodiment of the invention, the method furthercomprises the step of encrypting the encrypted hardware specific portionof the subscription profile and the encrypted network specific portionof the subscription profile using a session key K_(ses) created by thesecure element.

Preferably, the step of assembling the subscription profile comprisesthe additional step of determining at least one subscription profilebeing compatible with a hardware configuration HW_(conf) of the secureelement and/or the mobile terminal.

According to preferred embodiments of the invention, the hardwarespecific portion of the subscription profile comprises at least parts ofan operating system OS for the secure element and/or the networkspecific portion of the subscription profile comprises subscriptioncredentials CREDS, preferably including an IMSI and/or an authenticationkey K_(i), for attaching the secure element to the cellularcommunications network or a different cellular communications networkassociated with the subscription profile.

According to a second aspect the invention provides for a secure elementcomprising a subscription profile provided to the secure element by themethod according to the first aspect of the invention.

Preferably, the secure element is a subscriber identity module (SIM) forauthentication/identification of a subscriber in the cellularcommunications network. Such a SIM communicates with the mobile terminalvia a card reader therein and can be removed in principle from themobile terminal to be either replaced by a different SIM and/or used ina different mobile terminal. Alternatively, the secure element is anintegral part of the mobile terminal such as a hard-wired chip module.Such embedded secure elements are known, for instance, as embeddedUniversal Integrated Circuit Cards (eUICCs). Preferably, the secureelement supports storage of multiple subscription profiles which may beassociated with different MNOs. Generally, only one subscription profileis active at a time.

According to a third aspect the invention provides for a mobile terminalcontaining a secure element according to the second aspect of theinvention.

The mobile terminal according to the present invention comprises meansfor communicating with a cellular communications network, in order toreceive a new subscription profile. Preferably, the mobile terminal isimplemented in form of a smart phone, a tablet PC, a notebook, a PDA, orthe like. Alternatively the mobile terminal can be a multimedia devicesuch as digital picture frame, audio equipment, a TV system, a set topbox, an e-book reader and so on. By way of example, the term “mobileterminal” also includes any kind of machinery, like vending machines,vehicles, smart-meters and the like that are configured to communicatevia a cellular communications system.

According to a fourth aspect the invention provides for a subscriptionmanagement backend system, comprising a first server and a secondserver, wherein the first server and the second server are configured toprovide a secure element of a mobile terminal with a subscriptionprofile by means of the method according to the first aspect of theinvention.

As generally the hardware related portion of a subscription profile isavailable to the manufacturer and/or vendor of the mobile terminaland/or the secure element, whereas the network related portion isavailable to the MNO of the cellular communications network, preferablythe second server providing for the hardware related portion of thesubscription profile is operated by the manufacturer and/or vendor ofthe mobile terminal and/or the secure element and the first serverproviding for the network related portion of the subscription profile isoperated by the MNO of the cellular communications network (or adifferent cellular communications network associated with thesubscription profile). Alternatively, the first server could be operatedby a subscription management provider serving a number of different MNOsoperating different cellular communications networks

These and other features, characteristics, advantages, and objects ofthe invention will be clear from the following detailed description ofpreferred embodiments, given as a non-restrictive example, underreference to the attached drawings. The person skilled in the art willappreciate, in particular, that the above preferred embodiments can becombined in several ways, which will result in additional advantageousembodiments that are explicitly supported and covered by the presentinvention. In particular, the person skilled in the art will appreciatethat the above described preferred embodiments can be implemented in thecontext of the different aspects of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a schematic overview of a communications systemillustrating different aspects of the present invention; and

FIG. 2 shows a diagram illustrating a method for providing asubscription profile to the secure element of a mobile terminalaccording to a preferred embodiment of the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 shows schematically the components of a communications system 10as well as some of the communication channels or links between thecomponents of this system 10 that illustrate different aspects of thepresent invention. Although the below detailed description will refer toa “mobile” terminal, the person skilled in the art will appreciate thatthe present invention can be advantageously implemented in the contextof any kind of terminals that are configured to communicate via a mobileor cellular communications network. In other words, the attribute“mobile” used herein refers to the ability of the terminal tocommunicate via a mobile or cellular communications network, alsoincluding IP based mobile communication networks.

An exemplary mobile terminal 12 is shown in FIG. 1 including a secureelement 20 for securely storing and processing data that uniquelyidentifies the mobile terminal 12 and/or its user. As indicated in FIG.1, the mobile terminal 12 preferably is a mobile phone, smart phone or asimilar device. The person skilled in the art will appreciate, however,that the mobile terminal 12 according to the present invention can beimplemented in the form of other devices as well, such as a tablet ornotebook computer, a TV system, a set top box, a vending machine, avehicle, a surveillance camera, a sensor device and the like. Thecommunications system 10 shown in FIG. 1, moreover, comprises a firstserver 42 and a second server 44 that are part of a subscriptionmanagement backend system 40 for providing the secure element 20 of themobile terminal 12 with a subscription profile. As will be described inmore detail further below, the first server 42 (herein referred to as asubscription management server 42) and the second server 44 (hereinreferred to as a subscription provisioning server 44) of thesubscription management backend system 40 could be operated by a singleentity or by two different entities, for instance by a mobile networkoperator (MNO) and a manufacturer/vendor of the mobile terminal 12and/or the secure element 20.

According to preferred embodiments of the invention the secure element20 is configured as an eUICC or UICC with a SIM application runningthereon, i.e. a secure element that can be mounted in the mobileterminal 12 and used in cellular communications systems for unique andsecure subscriber identification as well as for the provision ofdifferent special functions and value-added services. Alternatively, thesecure element 20 could be configured as a subscriber identity module(SIM), the SIM currently being the most popular type of secure element.The person skilled in the art will appreciate, however, that other typesof secure elements that, depending on the underlying generation and typeof cellular communications system standard, are designated as USIM,R-UIM, ISIM and the like, are also encompassed by the present invention.

As already mentioned above, the mobile terminal 12 is configured tocommunicate via the air interface (or radio link) with a cellularcommunications network or public land mobile network (PLMN) 30,preferably operated by a mobile network operator (MNO) according to theGSM standard, as well as other mobile terminals connected therewith. Inthe following, preferred embodiments of the invention will be describedin the context of a cellular communications network according to thestandards of the Global System for Mobile communication (GSM), asspecified in a number of specifications provided by ETSI. However, theperson skilled in the art will appreciate that the present invention maybe advantageously applied in connection with other cellularcommunications systems as well. Such systems include third-generationcellular communications systems (3GPP), such as the Universal MobileTelecommunications System (UMTS), and next generation orfourth-generation mobile networks (4G), such as Long Term Evolution(LTE), as well as other cellular communications systems, such as CDMA,GPRS (General Packet Radio Service) and the like.

As is well known to the person skilled in the art, a PLMN configuredaccording to the GSM standard generally comprises a base stationsubsystem consisting of one or more base transceiver stations thatdefine respective cells of the PLMN and are connected to a base stationcontroller. Generally, the base station controller is one of severalbase station controllers that communicate with a mobile switching center(MSC). Often, a local database called Visitor Location Register (VLR)for keeping track of the mobile users currently located within the cellscovered by a MSC (i.e. the MSC service area) is incorporated in the MSC.The MSC provides essentially the same functionality as a central officeswitch in a public-switched telephone network and is additionallyresponsible for call processing, mobility management, and radio resourcemanagement. The MSC is further in communication with a home locationregister (HLR), which is the primary database of the PLMN that storesinformation about its mobile users required for authentication. To thisend, the HLR generally is in communication with an authentication center(AUC). The person skilled in the art will appreciate that although theabove described components of a conventional GSM system may havedifferent names in different or consecutive standards for mobilecommunications networks, the underlying principles used therein aresubstantially similar and, therefore, compatible with the presentinvention.

As is known to the person skilled in the art, the communication meansbetween the above mentioned components of the PLMN may be proprietary ormay use open standards. The protocols may be SS7 or IP-based. SS7 is aglobal standard for telecommunications defined by the InternationalTelecommunication Union (ITU) Telecommunication Standardization Sector(ITU-T). The standard defines the procedures and the protocol by whichnetwork elements in the public switched telephone network (PSTN)exchange information over a digital signaling network to effect wireless(cellular) and wired call setup, routing and control. The SS7 networkand protocol are used for e.g. basic call setup, management, wirelessservices, wireless roaming, and mobile subscriber authentication, i.e.enhanced call features providing for efficient and secure worldwidetelecommunications. How the network elements are grouped or leftseparate and the interfaces—whether proprietary or open—between theseelements are left to the MNO.

As can be taken from the enlarged view of the secure element 20 in FIG.1, the secure element 20 preferably comprises a central processing unit(CPU) 22. Preferably, the CPU 22 is configured such that at least oneapplication 24 can be executed on the CPU 22 providing for features thatwill be described in the context of FIG. 2 in more detail further below.The application 24 could be implemented, for instance, as a Java Applet.For providing an execution environment for the application 24 a secureelement operating system (not shown in FIG. 1) is preferably beingexecuted on the CPU 22.

Moreover, the secure element 20 preferably comprises a memory unit 26,which preferably is implemented as a non-volatile, rewritable flashmemory. Preferably, a first portion 26 a of the memory unit 26 isconfigured to securely store secret data therein. As will be explainedin more detail in the context of FIG. 2, this secret data preferablyincludes an identification element ID_(se) for uniquely identifying thesecure element 20. The identification element ID_(se) could be, forinstance, the ICCID (integrated circuit card identity) of the secureelement 20. Moreover, a secure element key K_(se) and a configurationkey K_(conf) are preferably stored in the first portion 26 a of thememory unit 26. The identification element ID_(se), the secure elementkey K_(se) and/or the configuration key K_(conf) can be stored on thesecure element 20 during the manufacturing and/or personalizationprocess of the secure element 20. As will be described in more detailfurther below, the secure element key K_(se) and the configuration keyK_(conf) are originally available to the secure element 20 as well asthe subscription provisioning server 44 of the subscription managementbackend system 40.

As can be taken from FIG. 1, moreover, a first subscription profile SUB1is stored in the memory unit 26 of the secure element 20, for instancein a second portion 26 b thereof. This first subscription profile SUB1can comprise at least parts of an operating system of the secure element20, one or more applications, such as a PLMN access applicationcontaining a MNO specific authentication algorithm, files and/or data,such as subscription credentials that allow the secure element 20 andthe mobile terminal 12 to attach to the PLMN 30. Preferably, also atleast parts of the second portion 26 b of the memory unit 26 of thesecure element 20 are configured to securely store the data therein, forinstance any subscription credentials to be kept secret, such as anInternational Mobile Subscriber Identity (IMSI) and/or an authenticationkey K_(i), that are part of the first subscription profile SUB1. Asindicated in FIG. 1, the second portion 26 b of the memory unit 26preferably provides several “slots” for accommodating additionalsubscription profiles, such as a second subscription profile SUB2 to beprovided by the subscription management backend system 40 according tothe process shown in FIG. 2 and described in more detail further below.In other words, the secure element 20 preferably supports storage ofmultiple subscription profiles. These multiple subscription profiles maybe associated with one MNO or different MNOs.

Preferably, the first subscription profile SUB1 can be stored in thememory unit 26 of the secure element 20 during the manufacturing and/orpersonalization process of the mobile terminal 12 and/or its secureelement 20. Especially in this preferred embodiment it is conceivablethat the first subscription profile SUB1 is merely a provisionalsubscription profile only providing for basic services that allow thesecure element 20 and mobile terminal 12 to communicate with thesubscription management backend system 40 and to download a morecomplete subscription profile providing for additional services, such asthe second subscription profile SUB2 shown in FIG. 1. As a provisionalsubscription profile, such as the first subscription profile SUB1 shownin FIG. 1, generally provides only a limited functionality, the user ofthe mobile terminal 12 generally will be enticed to change to a morecomplete subscription profile providing for additional services, such asthe second subscription profile SUB2 shown in FIG. 1.

As shown in FIG. 1 and as already mentioned above, the mobile terminal12 can communicate via the PLMN 30 with the subscription managementserver 42 and the subscription provisioning server 44 that are part ofthe subscription management backend system 40. A first database 43 couldbe in communication with the subscription management server 42 orimplemented thereon. A second database 45 could be in communication withthe subscription provisioning server 44 or implemented thereon. Althoughthe secure element 20 and the mobile terminal 12 communicate preferablyvia the PLMN 30 with the subscription management server 42 and/or thesubscription provisioning server 44, the person skilled in the art willappreciate that this communication can happen over a differentcommunication channel as well, such as a LAN, WLAN or WiFi networkconnected to the Internet. The person skilled in the art will appreciatethat communicating via these different communication channels andtransferring data from the subscription management server 42 and/or thesubscription provisioning server 44 to the secure element 20 mightrequire some special technical solutions, which, however, are not thesubject of the present invention.

The functioning of the subscription management server 42 and thesubscription provisioning server 44 of the subscription managementbackend system 40 in combination with the other elements of thecommunications system 10 shown in FIG. 1 will now be described underfurther reference to FIG. 2.

In step S1 of FIG. 2, which could be triggered by the secure element 20requesting a new subscription profile from the subscription managementbackend system 40, the secure element 20 authenticates itself vis-à-visthe subscription management server 42 of the subscription managementbackend system 40. This authentication could be carried out via the PLMN30, for instance, by using services provided by the PLMN 30 oralternatively by using the PLMN 30 simply as a means for transportingauthentication credentials. The person skilled in the art willappreciate, however, that the authentication can be done over adifferent communications network as well, such as a LAN, WLAN or WiFinetwork connected to the Internet. According to one embodiment of thepresent invention it is conceivable that the secure element 20authenticates itself vis-à-vis the subscription management server 42 byusing the subscription credentials of the exemplary provisionalsubscription profile SUB1 for attaching the secure element 20 to thePLMN 30 that are securely stored within the memory unit 26 of the secureelement 20. By means of the authentication step S1 of FIG. 2 the secureelement 20 proves to the subscription management server 42 that it isallowed to download a subscription profile. As used herein “downloadinga subscription profile” can have the meaning of a complete exchange ofan old subscription profile with a new subscription profile, theaddition of a new subscription profile besides an already existingsubscription profile as well as a partial exchange of an existingsubscription profile with a new version of the existing subscriptionprofile.

After a successful authentication of the secure element 12, for instanceby means of the subscription credentials of the provisional subscriptionprofile SUB1, a subscription management application (referred to in FIG.2 as “SM APP”) can be downloaded in step S2 of FIG. 2 from thesubscription management server 42 to the mobile terminal 12. Preferably,the subscription management application SM APP can run on the mobileterminal 12. Additionally or alternatively, the subscription managementapplication SM APP can be executed on the secure element 20 as well. Asthe person skilled in the art will appreciate, step S2 of FIG. 2 couldbe omitted, for instance, if the subscription management application SMAPP has been already downloaded and installed on the mobile terminal 12and/or the secure element 20 during a previous subscription profiledownload/update session.

Preferably, the subscription management application SM APP downloaded instep S2 of FIG. 2 coordinates the subscription profile update accordingto the present invention. More specifically, in case the subscriptionmanagement application SM APP is being executed on the mobile terminal12, it preferably provides on the one hand access to the subscriptionmanagement server 42 and on the other hand an interface to the secureelement 20 for providing the secure element 20 with a new or updatedsubscription profile.

Once the subscription management application SM APP has been installedand is being executed on the mobile terminal 12 and/or the secureelement 20, the subscription management application SM APP determines instep S3 of FIG. 2 information about the hardware configuration HW_(conf)of the mobile terminal 12 and/or its secure element 20, such as the typeof the central processing unit (CPU) of the secure element 20 and/or themobile terminal 12, the amount of free and used memory available on thesecure element 20 and the like. According to the present invention it isconceivable that at least some information about the hardwareconfiguration HW_(conf) of the secure element 20 and/or the mobileterminal 12 is already stored in the memory unit 26 of the secureelement 20 and/or in a memory unit of the mobile terminal 12 and can beretrieved therefrom by the subscription management application SM APP.Alternatively or additionally, at least parts of the hardwareconfiguration HW_(conf) can be determined on-the-fly by the subscriptionmanagement application SM APP running on the secure element 20 and/orthe mobile terminal 12. As will described in more detail further below,on the basis of the hardware configuration HW_(conf) of the secureelement 20 and/or the mobile terminal 12 only those subscriptionprofiles will be offered to the user of the mobile terminal 12 fordownloading which are compatible with the hardware configurationHW_(conf) as determined by the subscription management application SMAPP in step S3 of FIG. 2.

In step S4 of FIG. 2, the secure element 20 creates a temporary sessionkey K_(ses) for securing certain steps of the preferred subscriptionprofile update session shown in FIG. 2. Preferably, the session keyK_(ses) is a nonce, i.e. an arbitrary number used only once. Thisensures that for every subscription profile update session, such as thesubscription profile update session shown in FIG. 2, a different sessionkey K_(ses) is used. As is well known to the person skilled in the art,such a nonce can be created, for instance, by using a pseudorandomnumber generator, preferably a cryptographically secure pseudorandomnumber generator.

In step S5 of FIG. 2 the identification element ID_(se) of the secureelement 20 stored within the first portion 26 a of the memory 26 of thesecure element 20 is send preferably together with the hardwareconfiguration HW_(conf) determined in step S3 and the session keyK_(ses) created in step S4 of FIG. 2 to the subscription managementserver 42. To this end, these data elements are preferably concatenatedand the resulting data string is encrypted using the configuration keyK_(conf) resulting in the encrypted messageC=ENC(ID_(se)∥K_(ses)∥HW_(conf), K_(conf)) where the symbol ∥ denotesthe concatenation operation and ENC( . . . , K_(conf)) denotes anencryption operation using the configuration key K_(conf). Preferably,the encrypted message C, in turn, is concatenated with theidentification element ID_(se) of the secure element 20 resulting in themessage ID-_(Se)∥ENC(ID_(se)∥K_(ses)∥HW_(conf), K_(conf)). Preferably,this message containing the identification element ID_(se) in the clearand the encrypted message C is send to the subscription managementserver 42 in step S5 of FIG. 2. As the person skilled in the art willappreciate, the identification element ID_(se) can be retrieved fromthis message by any recipient thereof, whereas the remaining partsthereof can only be read by a recipient in possession of theconfiguration key K_(conf).

As the person skilled in the art will appreciate, the order of theelements in concatenating the identification element ID_(se), thehardware configuration HW_(conf) and the session key K_(ses) is a matterof choice and, thus, not critical with respect to the present invention,as long as the sender and receiver have agreed on the same order. Forencrypting the data string resulting from the concatenation of theidentification element ID_(se), the hardware configuration HW_(conf) andthe session key K_(ses) any symmetric encryption algorithm can beemployed using the configuration key K_(conf), such as AES, DES, 3DES,or the like.

Having received the message sent by the secure element 20 in step S5 ofFIG. 2, the subscription management server 42 extracts theidentification element ID_(se) therefrom, which, as outlined above, hasbeen sent in the clear. Based on this identification element ID_(se) ofthe secure element 20 the subscription management server 42 candetermine one or more appropriate subscription provisioning servers, forinstance the subscription provisioning server 44, that have access, inparticular, to hardware specific data about the secure element 20 and/orthe mobile terminal 12 being associated with the identification elementID_(se) of the secure element 20. Having determined at least one suchappropriate subscription provisioning server, e.g. the subscriptionprovisioning server 44 shown in FIG. 1, the subscription managementserver 42 preferably forwards the identification element ID_(se) of thesecure element 20 to the subscription provisioning server 44.Preferably, the subscription provisioning server 44 is operated by thevendor and/or manufacturer of the mobile terminal 12 and/or the secureelement 20 and has access to hardware specific data, i.e. dataassociated with the hardware configuration of the mobile terminal 12and/or the secure element 20.

In order to determine an appropriate subscription provisioning server, adatabase, such as the database 43 shown in FIG. 1, could be incommunication with the subscription management server 42 or implementedthereon, wherein a multitude of different identification elements ofsecure elements, such as the identification element ID_(se) of thesecure element 20, are linked to one or more appropriate subscriptionprovisioning servers, respectively. These one or more appropriatesubscription provisioning servers, such as the subscription provisioningserver 44 shown in FIG. 1, could be identified, for instance, by an IPaddress, a URL or the like.

Having received the identification element ID_(se) of the secure element20 in step S6 of FIG. 2, the subscription provisioning server 44 in stepS7 of FIG. 2 returns the configuration key K_(conf) associated with theidentification element ID_(se) of the secure element 20 to thesubscription management server 42. To retrieve this configuration keyK_(conf) the subscription provisioning server 44 could access thedatabase 45, wherein a multitude of configuration keys, such as theconfiguration key K_(conf), are stored in connection with a plurality ofsecure element identification elements, such as the identificationelement ID_(se) of the secure element 20. As already mentioned above,the database 45 could be hosted on a different server or implemented onthe subscription provisioning server 44 itself.

Preferably, the subscription provisioning server 44 provides thesubscription management server 42 with the configuration key K_(conf)only in case the subscription provisioning server 44 can trust thesubscription management server 42. To this end, according to preferredembodiments of the invention, in particular, when the subscriptionprovisioning server 44 and the subscription management server 42 areoperated by different entities, the subscription management server 42has to authenticate itself vis-à-vis the subscription provisioningserver 44 before the configuration key K_(conf) is provided to thesubscription management server 42 in step S7 of FIG. 2.

Using the configuration key K_(conf) received from the subscriptionprovisioning server 44 in step S7 of FIG. 2 the subscription managementserver 42 decrypts in step S8 of FIG. 2 the part of the message sent bythe secure element 20 in step S5 of FIG. 2 that has been encrypted usingthe configuration key K_(conf). In doing so, the subscription managementserver 42 preferably retrieves once more the identification elementID_(se) of the secure element 20, the session key K_(ses) as well as thehardware configuration HW_(conf) of the secure element 20 and/or themobile terminal 12. By comparing the identification element ID_(se)obtained by decrypting the message provided by the secure element 20 instep S5 of FIG. 2 with the identification element ID_(se) that has beentransmitted in the clear as part of that message, the subscriptionmanagement server 42 can verify that the configuration key K_(conf)provided by the subscription provisioning server 44 is correct, i.e.identical with the configuration key K_(conf) used by the secure element20 to encrypt the message sent in step S5 of FIG. 2. In case of anydiscrepancy the subscription management server 42 could ask the secureelement 20 to retransmit the message sent in step S5 of FIG. 2 and/orthe subscription provisioning server 44 to check the configuration keyK_(conf) provided in step S7 of FIG. 2.

In step S8 of FIG. 2 the subscription management server 42, furthermore,determines on the basis of the hardware configuration HW_(conf) of thesecure element 20 and/or the mobile terminal 12 the subscriptionprofiles that are compatible with the hardware configuration thereof andcreates a list of corresponding subscription profiles available to thesecure element 20 and/or the mobile terminal 12. Thereafter, this listis forwarded in step S9 of FIG. 2 to the mobile terminal 12 and, forinstance, displayed on the screen of the mobile terminal 12 promptingthe mobile user to select one of the available subscription profiles.The list of selectable subscription profiles could comprise for eachselectable subscription profile additional information, such as themonthly costs, additional services and the like of a respectivesubscription profile.

Once the user of the mobile terminal 12 has selected one of theavailable subscription profiles, for instance, via a touchpad of hismobile terminal 12, the subscription management server 42 is informedabout the selected subscription profile (referred to in FIG. 2 assubscription profile SUB), which, in turn, forwards this information tothe subscription provisioning server 44. Thus, both the subscriptionmanagement server 42 and the subscription provisioning server 44 areinformed about the subscription profile SUB selected by the user of themobile terminal 12.

According to the present invention the selected subscription profile SUBgenerally includes a hardware specific portion as well as a cellularcommunications network specific portion. The hardware specific portionof the subscription profile SUB refers to any components of thesubscription profile that are related to the hardware of the mobileterminal 12 and/or the secure element 20 and preferably comprises atleast parts of a secure element operating system (referred to asoperating system OS in FIG. 2) and/or one or more applications (referredto as applications APPS in FIG. 2) that depend upon the hardwareconfiguration HW_(conf) of the secure element 20 and/or the operatingsystem OS thereof. The network specific portion of the subscriptionprofile SUB refers to any components of the subscription profile thatare related to the details of the PLMN 30 (or a different PLMNassociated with the subscription profile SUB) and preferably comprisessubscription credentials (referred to in FIG. 2 as subscriptioncredentials CREDS), such as an International Mobile Subscriber Identity(IMSI) and/or an authentication key K_(i). The person skilled in the artwill appreciate that also the network specific portion of thesubscription profile SUB can include applications, for instance, a PLMNaccess application containing a MNO specific authentication algorithm.

As generally the hardware specific data of a subscription profile areavailable to the manufacturer and/or vendor of the mobile terminal 12and/or the secure element 20, whereas the network related data areavailable to the MNO of the PLMN 30 (or a different PLMN), preferablythe subscription provisioning server 44 providing for the hardwarespecific data is operated by the manufacturer and/or vendor of themobile terminal 12 and/or the secure element 20 and the subscriptionmanagement server 42 providing for the network specific data is operatedby the MNO of the PLMN 30 (or a new PLMN used by the subscriptionprofile SUB). Alternatively, the subscription management server 42 couldbe operated by a subscription management provider serving a number ofdifferent MNOs.

In step 10 of FIG. 2 the subscription management server 42 requests fromthe subscription provisioning server 44 the hardware specific portion ofthe subscription profile SUB selected by the user of the mobile terminal12 in step S9 of FIG. 2. The subscription provisioning server 44compiles and preferably encrypts this hardware related data using thesecure element key K_(se), comprising in particular at least parts of asecure element operating system OS and/or one or more applications APPSthat depend upon the hardware configuration HW_(conf) of the secureelement 20 and/or the new operating system OS thereof. According to apreferred embodiment of the invention this data is encrypted togetherwith a respective checksum thereof, resulting preferably in thefollowing encrypted data elements ENC(OS∥CS(OS), K_(se)) andENC(APPS∥CS(APPS), K_(se)), wherein CS(OS) and CS(APPS) denote achecksum determined on the basis of the secure element operating systemOS and the one or more applications APPS, respectively. The subscriptionprovisioning server 44 returns the encrypted data elements to thesubscription management server 42, which cannot decrypt these dataelements, as the subscription management server 42 does not have accessto the secure element key K_(se) that is shared by the secure element 20and the subscription provisioning server 44 only. Thus, the subscriptionmanagement server 42 will not have access to this potentiallyconfidential data.

The subscription management server 42 preferably concatenates theencrypted data elements provided by the subscription provisioning server44 in step S10 of FIG. 2, i.e. ENC(OS∥CS(OS), K_(se)) andENC(APPS∥CS(APPS), K_(se)), with the network specific portion of thesubscription profile SUB provided by the subscription management server42 or the database 43 in communication therewith. Preferably, thisnetwork specific portion of the subscription profile SUB provided by thesubscription management server 42 includes subscription credentials(referred to as subscription credentials CREDS in FIG. 2), such as anInternational Mobile Subscriber Identity (IMSI) and/or an authenticationkey K_(i), that allow access to the PLMN 30 or a different PLMNsupported by the subscription profile SUB.

Preferably, the subscription management server 42 encrypts the networkspecific portion of the subscription profile SUB including thesubscription credentials CREDS using the configuration key K_(conf) thatwas received by the subscription management server 42 from thesubscription provisioning server 44 in step S7 of FIG. 2 (as well as inoriginally encrypted form from the secure element 20 in step S5 of FIG.2). Also in this case it is preferred that the network specific portionof the new subscription profile SUB including the subscriptioncredentials CREDs is encrypted together with a checksum thereofresulting preferably in the following encrypted data elementENC(CREDS∥CS(CREDS), K_(conf)), wherein CS(CREDS) denotes a checksumdetermined on the basis of the subscription credentials CREDS.

Preferably, the message M resulting from the concatenation of theencrypted data elements, i.e. ENC(OS∥CS(OS), K_(se)) andENC(APPS∥CS(APPS), K_(se)), provided by the subscription provisioningserver 44 in step S10 of FIG. 2 with the encrypted data element createdby the subscription management server 42 on the basis of thesubscription credentials CREDS, i.e. ENC(CREDS∥CS(CREDS), K_(conf)), is,in turn, encrypted by the subscription management server 42 using thesession key K_(ses), i.e. ENC(M, K_(ses)) with

M=ENC(OS∥CS(OS), K_(se))ENC(APPS∥CS(APPS), K_(se))∥ENC(CREDS∥CS(CREDS),K_(conf)). The session key K_(ses) had been provided to the subscriptionmanagement server 42 in encrypted form by the secure element 20 in stepS5 of FIG. 2 and has been decrypted by the subscription managementserver 42 in step S8 of FIG. 2 using the configuration key K_(conf)provided by the subscription provisioning server 44 in step S7 of FIG.2.

In step S11 of FIG. 2 the subscription management server 42 transmitsthe encrypted version of the message M to the secure element 20 via themobile terminal 12. Having received the encrypted message M, the secureelement 20, in turn, decrypts this message M in step S12 of FIG. 2 usingthe session key K_(ses) created in step S4 of FIG. 2. From the decryptedmessage M the secure element 20 extracts the operating system OS, theone or more applications APPS as well as the subscription credentialsCREDS of the subscription profile SUB selected by the user of the mobileterminal 12 in step S9 of FIG. 2. For decrypting the hardware specificportion of the subscription profile SUB, i.e. the operating system OSand the one or more applications APPS, the secure element 20 uses thesecure element key K_(se), whereas for decrypting the network specificportion of the subscription profile SUB, i.e. the subscriptioncredentials CREDS, the secure element 20 uses the configuration keyK_(conf). Moreover, in order to verify the integrity of the dataprovided by the subscription management server 42 in step S11 of FIG. 2the secure element 20 checks the respective checksums CS(OS), CS(APPS)and CS(CREDS) determined on the basis of the operating system OS, theone or more applications APPS as well as the subscription credentialsCREDS. If it is verified that the data is integer, i.e. has not beenmodified, the secure element 20 installs and/or stores the same on thememory unit 26 to be available for future use, i.e. for the nextattachment to the PLMN 30 or a different PLMN supported by thesubscription profile SUB.

Once the subscription profile SUB has been successfully implemented onthe secure element 20 in step S12 of FIG. 2, the secure element 20 sendsin step S13 of FIG. 2 a confirmation message to the subscriptionmanagement server 42. Furthermore, in response thereto, the subscriptionmanagement server 42 preferably provides the secure element 20 with anactivation code for activating the subscription profile SUB on thesecure element 20. These steps could be coordinated on the side of themobile terminal 12 by the subscription management application SM APPdownloaded in step S2 of FIG. 2 or a similar application runningthereon. After the subscription profile SUB has been activated by thesecure element 20 using the activation code provided by the subscriptionmanagement server 42, it is in principle possible to remove any “old”subscription profiles, such as the provisional subscription profile SUB1shown in FIG. 1, from the memory unit 26 of the secure element 20 tomake room for additional subscription profiles.

In case the subscription profile SUB cannot be successfully implementedor activated on the secure element 20, the secure element 20 preferablyreturns to the provisional subscription profile SUB1 that is stillstored on the memory unit 26 and can retry the above described processor specific steps thereof for obtaining a subscription profile via thePLMN 30 and the subscription management backend system 40.

Before or substantially concurrently with activating the subscriptionprofile SUB on the secure element 20 the subscription management server42 preferably sends a confirmation message to the MNO of the PLMNsupported by the subscription profile SUB and, in particular, thesubscription credentials CREDS thereof. In response thereto the MNO canactivate the subscription credentials CREDS of the subscription profileSUB in its HLR/AUC so that the mobile terminal 12 and its secure element20 can attach to the PLMN using the subscription credentials CREDS ofthe subscription profile SUB.

Although it has been described above that one or more applications APPSas part of the new subscription profile SUB are provided by thesubscription provisioning server 44, the person skilled in the art willappreciate that the present invention can be advantageously implementedin cases, where such applications as part of the new subscriptionprofile SUB are additionally or alternatively provided by thesubscription management server 42, for instance an PLMN accessapplication containing a MNO specific implementation of anauthentication algorithm. With respect to the present invention it ismerely important that one portion of the subscription profile SUB isprovided by the subscription provisioning server 44, namely the hardwarespecific portion thereof, and that another portion of the subscriptionprofile SUB is provided by the subscription management server 42, namelythe network specific portion thereof.

In light of the above detailed description the person skilled in the artwill appreciate that modifications and/or additions can be made to themethods, devices and systems as described heretofore, which are to beconsidered to remain within the scope of the present invention asdefined by the appended claims.

1-15. (canceled)
 16. A method of providing a secure element of a mobileterminal with a subscription profile, wherein the mobile terminal isconfigured to communicate with a cellular communications network andwherein the subscription profile comprises a network specific portionrelated to the cellular communications network or a different cellularcommunications network as well as a hardware specific portion related tothe hardware of the secure element and/or the mobile terminal, whereinthe method comprises the steps of: assembling the subscription profile,wherein the network specific portion of the subscription profile isprovided by a first server and the hardware specific portion of thesubscription profile is provided by a second server; and providing theassembled subscription profile over-the-air to the secure element. 17.The method of claim 16, wherein prior to the step of assembling thesubscription profile, the method comprises the additional step ofidentifying the secure element by means of an identification element fordetermining a configuration key and a secure element key associated withthe secure element.
 18. The method of claim 17, wherein the step ofidentifying the secure element comprises the steps of: transmitting theidentification element from the secure element to the first server;forwarding the identification element of the secure element to thesecond server; and transmitting the configuration key determined on thebasis of the identification element from the second server to the firstserver.
 19. The method of claim 18, wherein the identification elementis transmitted from the secure element to the first server by means of amessage including the identification element in the clear and anencrypted version of the identification element encrypted by using theconfiguration key stored on the secure element.
 20. The method of claim19, wherein the message further comprises an encrypted version of asession key created by the secure element and an encrypted version of ahardware configuration of the secure element and/or the mobile terminalboth encrypted using the configuration key.
 21. The method of claim 20,wherein the first server decrypts the encrypted version of theidentification element, the encrypted version of the session key and theencrypted version of the hardware configuration of the secure elementand/or the mobile terminal using the configuration key provided by thesecond server so that the first server can verify the validity of theconfiguration key provided by the second server by verifying that theidentification element sent in the clear is identical to theidentification element resulting from the decryption of the encryptedversion of the identification element using the configuration key. 22.The method of claim 20, wherein the hardware configuration of the secureelement and/or the mobile terminal is determined on the fly by asubscription management application being executed on the secure elementand/or the mobile terminal or retrieved from a memory unit of the secureelement and/or a memory unit of the mobile terminal.
 23. The method ofclaim 19, wherein the second server transmits the configuration keydetermined on the basis of the identification element to the firstserver only after the first server has successfully authenticated itselfvis-à-vis the second server.
 24. The method of claim 18, wherein thestep of assembling the subscription profile comprises the steps ofencrypting the hardware specific portion of the subscription profile bythe second server using the secure element key and encrypting thenetwork specific portion of the subscription profile by the first serverusing the configuration key.
 25. The method of claim 24, furthercomprising the step of encrypting the encrypted hardware specificportion of the subscription profile and the encrypted network specificportion of the subscription profile using a session key created by thesecure element.
 26. The method of claim 16, wherein the step ofassembling the subscription profile comprises the additional step ofdetermining at least one subscription profile, including thesubscription profile, being compatible with a hardware configuration ofthe secure element and/or the mobile terminal.
 27. The method of claim16, wherein the hardware specific portion of the subscription profilecomprises at least parts of an operating system for the secure elementand/or the network specific portion of the subscription profilecomprises subscription credentials, including an IMSI and/or anauthentication key K_(i), for attaching the secure element to thecellular communications network or a different cellular communicationsnetwork.
 28. A secure element comprising a subscription profile providedto the secure element by the method according to claim
 16. 29. A mobileterminal containing a secure element according to claim
 28. 30. Asubscription management backend system, comprising a first server and asecond server, wherein the first server and the second server areconfigured to provide a secure element of a mobile terminal with asubscription profile by the method according to claim 16.